Malicious PDF — malware analysis report

Static analysis result for SHA-256 2465eba131b76cfc…

MALICIOUS

PDF

45.8 KB Created: 2021-05-20 03:47:00 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 66520ab039f9136d6bdec35ef441c46c SHA-1: 6cc87342ad4f63d82fb02618c3617af10b41d63d SHA-256: 2465eba131b76cfc05407a0258e2f4c277abc9bc9392b42ca5320372825a36e0
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document contains a fake CAPTCHA lure, a common social engineering tactic to trick users into interacting with malicious content. It also embeds multiple URLs, one of which is directly linked to a fake CAPTCHA heuristic, suggesting the document's primary purpose is to redirect users to a site that likely hosts further malicious content or exploits. The presence of numerous URLs related to game cheats and free items reinforces the phishing or scam nature of the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9432

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/cpbild.co-robux-game-hack PDF link annotation
    • http://cosver.eu/images/free-robux-only-1-step_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/pokemon-go-free-clothes_GM1094591345.pdfIn PDF document text
    • http://cosver.eu/images/minecraft-bedrock-free-download-pc_GM479516143.pdfIn PDF document text
    • http://cosver.eu/images/free-coin-master-spins-no-verification_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/ro-ghoul-script_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/coin-master-mod-version-free-download-v344_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/free-roblox-generator_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/coin-master-hack-pc-free_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/latest-free-spin-coin-master-daily_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/coin-master-70-spin-link-today_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/robux-free-online_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/coin-master-cheats-2021_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/robux-hack-tools_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/coin-master-free-spins-2021_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/free-robux-generator-no-survey_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/www-robux-com_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/coin-master-hack-pro-gamers_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/roblox-pics_GM431946152.pdfIn PDF document text
    • http://cosver.eu/images/coinmaster-twitter_GM406889139.pdfIn PDF document text
    • http://cosver.eu/images/free-robux-no-human-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000048d3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48D3 27036 bytes
SHA-256: eb886ac903d14e247e494da602c336d391a8853aa553c1971059ddaf78e3c919
font_01_sfnt_off0000861a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x861A 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off00008fcb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8FCB 18460 bytes
SHA-256: 99048da186b71c9dfc5fc272bc085340ca0662c1721045875ee4c725f3f8eda0